The existing computer security techniques mainly include: 1. the computer security system based on “scanning and killing” mechanism, for example software such as anti-virus software or firewall; 2. the computer security system based on “shielding” mechanism, for example security systems such as “time machine” or “sandbox”; and 3. the computer security system based on “system reinforcing” theory, such as “secure operation system (referred to as secure OS for short)”.
The above-mentioned “scanning and killing” and “shielding” mechanisms can not ensure the security of the computer system theoretically. And the “system reinforcing” mechanism is practically to restrict the behavior of the computer to ensure the computer operation security, products based on this mechanism mainly include secure operation system and other active defense-type products; however, this type of products can provide security control for the system only by independently restricting some behaviors of the computer, thus the application of the computer is greatly restricted.
Practically, due to the complexity in computer structure, computer behavior and computer status variation, a certain behavior of the computer may only cause a certain status variation of the computer, or may result in a series of reactions of the computer and lead to a series of status variations, therefore, the security of the computer system cannot be effectively ensured by determining the legitimacy of the computer behavior only according to the present computer behavior. This is why the active defense-type software can only be used as an auxiliary security system.
Further, due to the complexity in the computer operation, a certain specific behavior of the computer may be caused by a certain permissible program and may also be caused by malicious code. If the legitimacy of a certain specific behavior is determined only by a certain specific behavior itself, the “one-size-fits-all” phenomenon is caused, so that the permissible behavior and the impermissible behavior that is caused by the malicious code will be processed in the same way, thus the security purpose of effectively distinguishing the “good” and the “malicious” can not be achieved.
The security of the computer must be systematic, and solving a local problem can not ensure the security of the computer system. For example, when the static text code is ensured not to be modified, if the memory code or parameter is maliciously modified, then the security of the computer system can not be ensured. Any operation of the computer during the running process is the function owned by the computer, each operation of the computer is neither “good” nor “malicious” independently; for example, deleting file, modifying memory and instruction recombination can not be determined as “good” or “malicious” independently.
Therefore, the computer system security mainly faces two problems presently. The first problem is to acquire the basis for determining the legitimacy of the computer behavior: specifically, in determining the legitimacy of the behavior of the computer system, no effective “evidence chain” can be formed as the determining condition, thus the basic problem for the security of the computer system is to establish a “continuous” and “effective” determining mechanism. The second problem is how to effectively distinguish the “good” behavior from the “malicious” behavior: in the running process of the computer system, the behavior itself is neither “good” nor “malicious”, a certain behavior becomes an malicious behavior only if it is maliciously used, thus the most crucial problem for the running security of the computer system is the way to distinguish the “good” behavior from the “malicious” behavior.